jQuery.com September 2014 Security Retrospective

Posted on by

During the last two weeks of September, we found our way into the headlines due to a series of attacks on our web servers. Today, we wanted to give everyone a brief update on the status of our websites and a recap of what happened over the last two weeks.

jQuery Under Siege

Early on the morning of September 18th we were hit with a DDoS and went offline. We were down for a couple of hours. The sites were brought back up later that day on September 18th and all seemed well.

Later, during the afternoon of September 18th, we were contacted by a security company named RiskIQ reporting that their crawler had reported malware being served by our content sites. There were never any reports that the jQuery libraries nor the CDN were ever compromised. Immediately upon receiving that report, we completely destroyed and reimaged all of those machines, revoked and reissued all associated SSL certificates, and confirmed that there was no suspicious content being served at that point. Since then, our own team and security folks from Mozilla and MaxCDN have worked to analyze logs and attempt to confirm the impact of this attack.

On September 23rd, RiskIQ went public with their report which picked up steam throughout the day on various media outlets and Twitter. The next morning, September 24th, as DDoS attacks on our properties continued to increase both in frequency and magnitude, CVE-2014-6271, otherwise known as the ShellShock vulnerability, was issued. As we continued to respond to the media discussion and communicate to the community what had happened on September 18th, we were victimized again in a series of much more public attacks involving the repeated defacing of jquery.com.

Investigations into our systems have yet to find the initial attack vector. However, we did take some steps to make ourselves more secure. For instance, some of our WordPress installs were out of date, all of our servers were vulnerable to the recent shell vulnerabilities, NGINX was slightly out of date as well as maybe a few other patches etc. that needed to be made. The infrastructure team dove in and began making those changes and started building new, fully patched and secured servers to host our sites. It appears these changes were effective as the defacing stopped and we have not seen any evidence of intrusion since.

Later on September 24th, a massive and unrelenting DDoS attack began. It seemed as though it would come in waves, but did not stop until late on September 28th. Most of the time on September 26th and 27th was spent trying to implement various products and solutions in order to keep the servers alive. We fought day and night to try to keep the sites up. We have to commend Corey Frang, Adam Ulvi, the rest of the infrastructure team, and others; they worked through the nights and in alternating shifts to try to keep us on the internet. Without their efforts, we would not have had the short amounts of uptime we did. One significantly important step that we took was to reach out to CloudFlare, who generously and rapidly gave us access to their Enterprise service which has helped tremendously in mitigating these attacks.

Moving Forward

jQuery and the jQuery Foundation are important to the web ecosystem, as is evident from the amount of press and the number of concerned individuals and organizations that have reached out to ask questions about this attack. The jQuery Foundation works on a daily basis to maintain and improve our projects and the infrastructure around those projects. The goal of this work is to continue to make web developers’ jobs easier and make sure they have a voice in the world of standards and browsers. However, these objectives take a large quantity of resources. Whether those resources are provided by access to expertise of a company’s employees or services, or through financial support, we would be unable to continue this important work without the support of the open source community and our supporting members.

We have been asked several times throughout this ordeal about why we didn’t have XYZ service in place or why we didn’t have our security team keeping a closer eye on these types of risks. The simple answer is that our budgets are tight and resources are limited. Our infrastructure team, and most of our teams for that matter, are made up of volunteers who give their time for free to make sure things keep running. The Heartbleed and ShellShock vulnerabilities are recent examples of how badly things can go when open source projects are taken for granted and just assumed to be OK. Eventually something is going to fall through the cracks and those cracks become larger and more frequent when people are doing what they can in their spare time.

So how can you help? As an individual, get involved in one of our projects. We can always use help writing code, designing, maintaining servers, working on events and the list goes on. Take a look at contribute.jquery.org or come say hi on IRC in one of our many channels listed on irc.jquery.org. As an organization, we would love to hear about any service you may be willing to donate, any developers or other skilled professionals that you could spare for a few hours a week or if you can help financially. Send us a message at [email protected] and let us know how you can help.

We haven’t wanted to say too much about these attacks as they have been happening because we remain a juicy target in the eyes of hackers who are continuing to attempt to infiltrate our servers even as of this writing. In sharing all of this information with the community now, we’ve tried to balance the need to explain what’s been happening with the potential backlash that could happen as a result of coming out publicly and saying that we believe we have the situation under control.

That said, we do at this point believe that we have the situation under control. For this, a huge thanks is due to the entire jQuery infrastructure team, who rolled up their sleeves and worked tirelessly on these issues to get us back to a good place. We will continue to be vigilant in ensuring the reliability and safety of all of our resources for our community of users.

Update on jQuery.com Compromises

Posted on by

Today at 11:15AM EDT, the jQuery Infrastructure team received widespread reports and confirmed a compromise of jquery.com. This attack was aimed at defacing our sites, and did not inject malware like the attack that was reported on September 18th by RiskIQ. We believe that these are separate incidents that may have used the same attack vector.

We took the site down as soon as we realized there was a compromise and cleaned the infected files. We are taking steps to re-secure our servers, upgrade dependencies, and address vulnerabilities.

At no point today have there been reports of malware being distributed from any of our sites, nor has the code of any jQuery libraries on our website or CDN been affected or modified today or during last week’s reported attack. Some of this confusion stems from last week’s attackers having set up a domain name intended to dupe users into thinking it was the official jQuery CDN. Please note that the official domain for jQuery files hosted from our official CDN is code.jquery.com.

There has also been concern that the user accounts of developers and administrators who use jquery.com and the rest of our WordPress sites have somehow been compromised by this attack. However, the only people who have a user account for the WordPress sites affected by these attacks are members of the jQuery team; we do not have any public user registration for any sort of account on any of the affected sites.

We are continuing to actively work on and monitor this situation and will update you as we learn more.

Updates

We have moved http://jquery.com to a new server only running code we trust and are continuing to monitor the situation closely. – September 24, 2014 at 5:07 PM EDT via Twitter

Was jquery.com Compromised?

Posted on by

Lastest update on the compromise: Update on jQuery.com Compromises

Earlier today, RiskIQ published a blog post stating that the jQuery.com web servers were compromised and serving the RIG exploit kit for a short period of time on the afternoon of September 18th. Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise.

RiskIQ was able to make contact with the jQuery Infrastructure team on September 18th, at which point with members of the RiskIQ team tried to find evidence of compromise. So far the investigation has been unable to reproduce or confirm that our servers were compromised. We have not been notified by any other security firm or users of jquery.com confirming a compromise. Normally, when we have issues with jQuery infrastructure, we hear reports within minutes on Twitter, via IRC, etc.

At no time have the hosted jQuery libraries been compromised.

Currently the only potential system compromised is the web software or server that runs jquery.com. We have asked RiskIQ to help us look through our server logs and systems to help identify when and how a compromise happened. Please check this blog post for updates on the situation.

Even though we don’t have immediate evidence of compromise, we have taken the proper precautions to ensure our servers are secure and clean. If you happened to visit any of the our sites on September 18th and are afraid of your system being compromised you can follow the advice RiskIQ recommends:

  • Immediately re-image system
  • Reset passwords for user accounts that have been used on the system
  • See if any suspicious activity has originated from the offending system

jQuery Chicago Roundup!

Posted on by
jQuery Conference Chicago logo

With just over a month until we set forth for the Windy City for the first jQuery Conference in Chicago, the moment’s opportune to bring you up to speed on what we’ve got in store for you this September!

Whatchu Talkin’ Bout?

Our speakers and talks are the highlight of any jQuery conference; our lineup in Chicago is no exception. We aim to cover a broad selection of subjects from across the realm of web development, from our jQuery Foundation projects like jQuery, jQuery UI, and jQuery Mobile (so we’ll be having talks from project leads Dave Methvin, Scott González, and Alex Schmitz) to the new frontiers where JavaScript now treads (so we’ve got Lisa Deluca talking about using Arduino and Cordova together, and Micah Ransdell talking about Netflix’s adoption of Node.js). We know you want to know more about the future of the open web platform, and that’s why we’re happy to have folks like John K. Paul to go over coming changes to the language in ECMAScript 6, and TJ VanToll and Kevin Hakanson to discuss new browser APIs for form validation and cryptography.

A lot of you come to conferences to learn practical things you can take home with you, and that’s why we’re excited about sessions from (among others) Brian Arnold and Cory Gackenheimer on debugging techniques and Phil Dutson on the process of building a jQuery plugin.  We know, however, that there’s a lot more to releasing code than, well, writing code, and we’re happy to have Kassandra Perch, Alex Sexton, and Kelly Andrews joining us to talk about how to choose and use tools to ship and support the projects we work on. And we know some of you travel to conferences for the fun and games, and we’re thrilled to have Sara Gorecki and Bodil Stokke on hand to talk about building games with web technology.

This is just a handful of the speakers and subjects that’ll be on our Chicago stage(s), and we invite you to take a few minutes to check out our entire program to see what else is on the docket!

Can You Hack It At #jqcon?

Of course you can! In Chicago, however, we’re partnering with MaxCDN, DigitalOcean, and MediaTemple to officially encourage you to do so! We’ve got a wealth of data about how folks use the jQuery CDN at code.jquery.com, and it’s up to you to help us understand it. The hackathon starts the night before the conference on September 11th, and you’re free to use any medium you see fit to play with the data, whether it’s a web application or a robot. Our sponsors have stepped up to reward three participants with bountiful rewards, so we hope you join us to team up, explore, and build!

Coming Home to Roost

We’re partnering with Bocoup for the second time this year to extend our trip to Chicago with Roost, a two-day intensive class on building modern web applications taught by Ashley Williams, Ben Alman, Irene Ros, and Mike Pennisi. Roost is targeted at developers who already know JavaScript, jQuery, HTML, and CSS, and are looking to understand how to develop a better workflow for building, testing, and maintaining their applications and incorporate technologies like Backbone, RequireJS, Stylus, and more. You can check out the full training curriculum and schedule to find out exactly what’s planned.

Accommodations

Both jQuery Conference and Roost are taking place at the Sheraton Chicago in the heart of the city, so the hotel’s a convenient place to stay for the purposes of both your edification and your vacation. We’re only able to offer a discounted rate of $269 per night until August 15th, so make sure to make your reservation in our room block as soon as you can! Staying in our room block is a really helpful way you can help the jQuery Foundation fulfill some of the large financial commitment we’ve made by setting up shop in Chicago.

Brought To You By

Our sponsors and foundation members make a huge difference in our ability to host an awesome jQuery Conference for the community, and we’re happy to take a moment to thank them right here! So here’s a big THANKS to Diamond sponsors WordPress and IBM, Platinum sponsor MediaTemple, Gold sponsors MaxCDN, Bocoup, BrowserStack, Mandrill & DigitalOcean, and Silver sponsors Pebble & Accenture. (We’re still welcoming sponsors – if you’d like to have your company be a part of #jqcon, please reach out!)

Student Discount

We’re glad to be able to offer a discount to current students interested in attending jQuery Conference or Roost. Please get in touch with us for more information on how you can save $150 on tickets to one event, or $200 on a combination ticket. We know the discount is modest, but this is only the second time we’ve been able to offer a student discount of any kind, and we hope it helps. Please be advised that if you use this discount, you’ll need to show a valid student ID at registration.

Join Us

The summer’s been flying by and we can’t believe we’re only five weeks out, and we hope you’ll consider joining us on our trip (or that you’ve already booked your ticket!). Check out the conference site for more on our program and speakers, lodging, and to buy your tickets. If you have any questions, always feel free to get in touch with us on Twitter or via e-mail.

The (Not Just) jQuery Foundation

Posted on by

The jQuery Foundation’s mission has always been about more than just our namesake projects of jQuery, jQuery UI, and jQuery Mobile. We already host several projects such as Sizzle, QUnit and Globalize that are not dependent on the jQuery library.

This wider web-oriented mission is evident in our jQuery Conferences, which span a wide range of developer concerns beyond jQuery, including Node, CSS, tooling, testing and much more. Over the years we’ve had talks on build tools, accessibility, security, performance, design patterns, and frameworks such as Ember and Angular. At our San Diego conference this past February, for example, Lenny Markus gave a great talk on PayPal’s continuing adoption of Node as they move away from Java and proprietary solutions, Catherine Farman talked about real world responsive design, and John Dimm gave a talk on the HTML5 speech APIs.

The jQuery Foundation is participating in the continuing evolution of the web platform via our memberships in both the W3C and ECMA TC39 (The group standardizing what we know as JavaScript). We feel that it’s essential to have strong representation in those standards groups to ensure they meet the needs of developers. The Foundation provides a platform for developers to have a voice in these standards bodies.

Beyond the technical compatibility between our projects, we also share the open source model and all the benefits it provides. The Foundation adds the benefit of a top-level structure designed to serve the projects, providing the resources they need but letting the contributors decide the best direction for the project based on community input. Any project that joins the Foundation is given the ability to serve their community’s needs rather than be constrained by the goals of a for-profit company.

Though this has been our mission for a long time, we felt we needed to make this clearer. We are excited to start bringing this part of our mission into the light and start actively working toward a more open web accessible to everyone. If you are excited as well, please help us. Contribute your time to Foundation projects. Offer your company’s services. If you or your company have an established open source project that you believe could benefit everyone and flourish by becoming part of the jQuery Foundation, check out our philosophy around projects joining the Foundation and let us know you’re interested. If you would rather just support the existing and future projects of the Foundation through financial support, become a member of the Foundation. Open source projects will only thrive if everyone who benefits from them contributes back in whatever way they can.

Volunteers Wanted: Trac Enhancements

Posted on by

The jQuery and jQuery UI teams use Trac to do their bug reporting and tracking. The jQuery Core bug tracker could really use a Trac expert to migrate us to Trac 1.0 and fix a few nagging issues we’ve been having. If you’re an expert Trac-meister, or just someone with good Trac setup/configuration experience who’s up to the challenge, we’d love to talk with you! Send a message to dave(at)jquery.com and we’ll be in touch.

Since some of you will inevitably ask: GitHub’s integration between issues and commits is wonderful, but it’s not anywhere near as powerful as Trac when it comes to searching and reporting. In addition, our projects have more than seven years of history comprising thousands of bug reports with important data in them. That’s a non-trivial amount of data to import into GitHub issues and groom to be useful once it’s imported. We feel that staying with Trac is the lowest-effort way for us to give us the bug tracking abilities we need.

Don’t Use jquery-latest.js

Posted on by

Earlier this week the jQuery CDN had an issue that made the jquery-latest.js and jquery-latest.min.js files unavailable for a few hours in some geographical areas. (This wasn’t a problem with the CDN itself, but with the repository that provides files for the CDN.) While we always hope to have 100% uptime, this particular outage emphasized the number of production sites following the antipattern of using this file. So let’s be clear: Don’t use jquery-latest.js on a production site.

We know that jquery-latest.js is abused because of the CDN statistics showing it’s the most popular file. That wouldn’t be the case if it was only being used by developers to make a local copy. The jquery-latest.js and jquery-latest.min.js files were meant to provide a simple way to download the latest released version of jQuery core. Instead, some developers include this version directly in their production sites, exposing users to the risk of a broken site each time a new version of jQuery is released. The team tries to minimize those risks, of course, but the jQuery ecosystem is so large that we can’t possibly check it all before making a new release.

To mitigate the risk of “breaking the web”, the jQuery team decided back in 2013 that jquery-latest.js could not be upgraded to the 2.0 branch even though that is technically the latest version. There would just be too many sites that would mysteriously stop working with older versions of Internet Explorer, and many of those sites may not be maintained today.

As jQuery adoption has continued to grow, even that safeguard seems insufficient to protect against careless use of http://code.jquery.com/jquery-latest.js. So we have decided to stop updating this file, as well as the minified copy, keeping both files at version 1.11.1 forever. The latest released version is always available through either the jQuery core download page or the CDN home page. Developers can download the latest version from one of those pages or reference it in a script tag directly from the jQuery CDN by version number.

The Google CDN team has joined us in this effort to prevent inadvertent web breakage and no longer updates the file at http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.js. That file will stay locked at version 1.11.1 as well. However, note that this file currently has a very short cache time, which means you’re losing the performance benefit of of a long cache time that the CDN provides when you request a full version like 1.11.1 instead.

So please spread the word! If you see a site directly using the jQuery CDN’s jquery-latest.js or the Google CDN equivalent in their script tags, let them know they should change to a specific version. If you need the latest version, get it from the download page or our CDN page. For both the jQuery and Google CDNs, always provide a full version number when referencing files in a <script> tag. Thanks!

jQuery 1.11.1 and 2.1.1 Released

Posted on by

Ah, the air is sweet with the scent of spring and new jQuery 1.11.1 and 2.1.1 are in bloom. These are minor patch releases and shouldn’t pose any major compatibility issues. Throw a Cinco de Mayo party and have your friends come over to test. If you dig up a problem, let us know at bugs.jquery.com, and be sure to provide a simple test case using jsfiddle.net or jsbin.com to demonstrate the problem.

You can include these files directly from the jQuery CDN if you like, or copy them to your own local server. The 1.x branch includes support for IE 6/7/8 and the 2.x branch does not.

http://code.jquery.com/jquery-1.11.1.js
http://code.jquery.com/jquery-2.1.1.js

The Google and Microsoft CDNs will be getting their copies today just like you did, so please give them a few days to post the files and don’t be impatient. If you’re anxious to get a quick start, just use the files on our CDN until they have a chance to post.

Minified files (for production use) and map files (for debugging) are also available. If you want to use the map file for debugging the minified code, copy the minified file and add a //# sourceMappingURL comment to the end of the file.
http://code.jquery.com/jquery-1.11.1.min.js
http://code.jquery.com/jquery-1.11.1.min.map
http://code.jquery.com/jquery-2.1.1.min.js
http://code.jquery.com/jquery-2.1.1.min.map

Many thanks to all of you who participated in this release by testing, reporting bugs, or submitting patches, including Benjy Cui, Christian Kosmowski, Jason Frank, Julian Aubourg, Jens Simon, John Hoven, John Madhavan-Reese, Jonathan Sampson, Jörn Zaefferer, Leo Balter, Louis-Rémi Babé, Michał Gołębiowski, Oleg Gaidarenko, Philip Jägenstedt, R.G. Otten, Rhys Evans, Richard Gibson, Rick Waldron, Rob Graeber, Rodrigo Rosas, Roman Reiß, S. Andrew Sheppard, Scott González, and Timmy Willison.

Here are the changes since the last official releases (1.11.0 and 2.1.0):

Common to jQuery 1.11.1 and 2.1.1

Ajax

Attributes

Build

Core

Css

Data

Dimensions

Effects

Event

Misc

jQuery 2.1.1

Ajax

Attributes

Core

Css

Event

Manipulation

Selector

Support

jQuery 1.11.1

Css

jQuery 1.11.1 RC2 and 2.1.1 RC2 Released

Posted on by

Spring has sprung, and these release candidates for jQuery 1.11.1 and 2.1.1 are in full bloom. You know what that means? It’s time to get serious about testing! We really want our next release to be solid and reliable, and to do that we need your help. Please try out these files in your projects and pages, just a quick test would be appreciated. If you unearth any problems, let us know at bugs.jquery.com.

The beta files are located on the jQuery CDN, you can include them directly from the CDN if you like (but don’t use them in production!). As always, the 1.x branch includes support for IE 6/7/8 and the 2.x branch does not:

http://code.jquery.com/jquery-1.11.1-rc2.js
http://code.jquery.com/jquery-2.1.1-rc2.js

Here are the bugs fixed since the last official release (1.11.0 and 2.1.0):

Common to jQuery 1.11.1 RC2 and 2.1.1 RC2

Ajax

Attributes

Build

Core

Css

Dimensions

Event

Misc

jQuery 1.11.1 RC2

Css

jQuery 2.1.1 RC2

Ajax

Attributes

Core

Css

Event

Manipulation

Selector

jQuery Chicago Pebble Giveaway and Filing Extension

Posted on by
jQuery Conference Chicago logo

As we announced at the end of jQuery San Diego in February, we’re excited that the next stop for #jqcon is Chicago! In case you missed the news, we’ll be setting up shop in the City That Never Sleeps Isn’t Windy on September 12th & 13th, 2014. We’re partnering again with Bocoup to make it a four-day affair, bringing you Roost on September 11th & 12th.

Speaker Filing Extension

While we can’t do anything about today’s deadline for those of us in the US to file our tax returns, we can offer our own form of amnesty: a two-week-plus extension of our Call for Speakers until the end of April! If you got swamped in receipts – or anything else – and thought you’d missed your chance to submit, breathe a sigh of relief, and if you didn’t know the call was even open, this should hopefully provide you enough time to come up with a solid talk proposal. (And if you already have submitted, thanks!)

We’re experimenting a bit with our time slot construction in Chicago, so if you have a talk that you feel needs to go deep into technical material and run for 45 minutes or an hour, or want to lead a more hands-on-workshop type of session for even longer, we’re eager to hear about it and encourage you to to get in touch with questions about your ideas at [email protected] or on the #jquery-content channel on Freenode.

Join Us

Our early bird tickets have been going fast and will likely be gone before our original early-bird cutoff of May 31st, so if you’re aiming to keep another 50 bucks in your deep-dish pizza budget, you’ll want to act sooner than later!

The conference will be right downtown at the Sheraton Chicago Hotel & Towers, and we’re able to offer attendees of both jQuery Chicago and Roost a discounted rate if you register as part of our room block.

Join Us…Together!

We’ve always held that jQuery is better with friends, and if you’ve got colleagues you want to attend with or send to the conference, we have group packages available that include sponsorships and discounts. Get in touch with us for a prospectus and to figure out how to get your team to Chicago!

A “Rocky” Start

Pebble logo If the prospect of jQuery’s first foray into the Old Northwest wasn’t exciting enough, we’re psyched to inform you that we’ll be giving away classic Pebble devices throughout ticket sales. We’ll take a random draw of people who’ve bought tickets each month and select 2-3 folks who’ll receive a Pebble from us (and the kind folks at Pebble who’ve donated the devices) at the conference in September. The sooner you buy, the better your odds, so what are you waiting for? This post is over anyway!